OW
Uploaded byOliver Wulff
ODP, PPTX4,283 views

ApacheCon 2013 SSO and Fine Grained Authorization in the Cloud

The document discusses single sign-on (SSO) and fine-grained authorization in cloud applications. It covers authentication and authorization challenges, how standards like WS-Federation address these challenges, and how Apache CXF Fediz implements WS-Federation. Specifically, Fediz provides an identity provider (IDP), security token service (STS) and plugin to enable SSO and claims-based authorization in web apps running in different containers.

Embed presentation

Download as ODP, PPTX
SSO and fine grained authorization in the cloud Oliver Wulff
Brief introduction ● Solution Architect ● Web Services (Axis, CXF, …) ● Security (WS-*, Kerberos, Web SSO, …) ● Corba ● Java / C# / C++ ● Apache CXF PMC member ● Talend Community Coder (coders.talend.com) ● http://owulff.blogspot.com ● owulff@apache.org
Agenda ● Authentication & Authorization in Web Applications ● Apache CXF Fediz ● Fediz and STS Use cases ● Relying Party IDP ● Fediz Roadmap
Authentication & Authorization in Web Applications
Application Security 10 years ago ● SSO solution using Reverse Proxy ● Proprietary SSO token / protocol ● Same product at Reverse Proxy, Application Server andcentral Security Service ● Security tokens validated by remote Security Server ● Role Based Access Control (Java, .NET API) ● User/ID management internal
Security Challenges ● Non IT company – Buy vs build (non IT company) – Applications hosted in the cloud ● SaaS for IT companies ● Integrate several IDM systems (B2B customers) ● Access to user information – Network connectivity – Replicating user information ● Reduce Security Code in the Application
Gaps ● Fine grained authorization (beyond RBAC) in application logic ● Tight coupling to custom security components and protocols (central server, reverse proxy, proxy agent) ● Tight coupling to single user domain ● Lack of agility and risk due to managing B2B users internally ● Different authentication mechanism in the application (container) ● Integration with Web Services Stack ● Mock testing
How to address that? ● Indirect Trust Relationship to Security Server ● Push user data to the application instead of pulling it ● Externalize Authentication to a Central server ● Lightweight Open Source component ● Industry standard based solution
WS-Federation ● OASIS Standard 2009 ● Security Token agnostic (SAML 1.1/2.0, …) ● Extends WS-Trust ● Browser and Web Services SSO ● PRP adapts Browser to WS-Trust ● No connectivity between Application and IDP required (Cloud) ● Claims/Attribute Based Access Control ● Supports several Authentication domains
WS-Trust Security Token Service 1. Consumer requests token from STS, presenting credentials (RST = Request Security Token) 2. STS verifies credentials and issues signed token 3. STS sends token back to consumer (RSTR = Request Security Token Response) 4. Consumer encloses token in message to service provider (optionally signing message) 5. Service provider validates token (and signature) 6. Service provider sends response to consumer WS-SecurityPolicy brings flexibility and transparency to service consumer
Apache CXF Fediz
Apache CXF Fediz ● Sub-project of Apache CXF project ● Work started mid of 2011 ● Community growing ● First release in June 2012 ● Current release 1.0.2 ● Finishing work for 1.1
Apache CXF Fediz Id e n tity P r o v id e r (ID P ) S e c u r ity T o k e n S e r v ic e (S T S ) W S - F e d e r a tio n F e d iz ID P n tio S e c u r ity T o k e n s t ic a e n W S -T ru s t is s u e d b y S T S en Tok F e d iz S T S u th A  U s e r M a c h in e B ro w s e r R e ly in g P a r ty (R P ) A cc es s  W W e b A p p lic a tio n R eb ec ed A to ir p p ID t lic P at io n F e d iz P lu g in H TTP S S e r v le t C o n ta in e r
Apache CXF Fediz 2 ) S ig n In R e q u e s t 3 ) L o g in Id e n tity P r o v id e r W eb U ser ID P / S T S 4 ) P o s t C r e d e n tia ls 5 ) S ig n In R e s p o n s e S A M L to k e n B ro w s e r T r u s t r e la t io n s h ip S ig n e d T o k e n N o C a ll to S T S 7 ) R e s o u r c e , S e t C o o k ie R e ly in g P a r ty 6 ) P o s t S ig n In R e s p o n s e E x . T o m c a t, W e b s p h e re , A S P .N E T , e tc . 1 ) H T T P G E T re s o u rc e R e d ir e c t to I D P
Apache CXF STS ● WS-Trust 1.3/1.4 ● SAML token creation ● WS-SecurityPolicy 1.3 customizable ● RST Subject, Audience, authenticationUsername/Kerb AttributeStatements,… eros/SAML token ● Claims support ● Security Bindings: ● Support for realms/security Symmetric, Asymmetric, domains Transport ● Identity Mapping ● Supported bindings ● Claims transformation Issue, validate, cancel, renew ● Advanced RST ● Token provider elementsKeyType, Entropy, SAML 1.1/2.0 (HOK, Bearer), AppliesTo, Custom, SecondaryParameters, … Secure Conversation ● Intermediary ● Token encryption supportOnBehalfOf, ActAs ● Issue/validate supports ● Custom Claims dialects token transformation ● Batch processing (RSTC)
Fediz IDP / STS ● Username / password authentication ● User store (File, LDAP, JAAS) – File store – LDAPLoginModule – Other JAAS Login Module ● Claims/Role store (File, LDAP) – LdapClaimsHandler – FileClaimsHandler – custom ● SAML Token creation customizable ● Small footprint (Mock testing) ● Wiki http://cxf.apache.org/fediz-idp.html
Fediz Plugin ● WS-Federation 1.0/1.1/1.2 ● SAML 1.1 / 2.0 Tokens ● IDP trust types Chain Trust, Direct Trust ● Core Logic Container independent ● Supports Tomcat 7 ● WS-Federation Metadata publish ● Claims provided in FederationPrincipal ● Wiki http://cxf.apache.org/fediz-idp.html
Fediz Plugin Configuration Config element Description Metadata issuer Issuer URL PassiveRequestorEndpoint realm Realm TargetScope authenticationType Authentication Type NA roleURI Claim URI for roles NA roleDelimiter Role Value Delimiter NA claimTypesRequested Requested claims ClaimTypesRequested homeRealm Home Realm NA tokenValidators Security Token Validator NA signingKey Key for Metadata Metadata signature signature
Fediz Plugin Extensions (1/2) ● Customize Sign-In Request Configuration SignIn Request Callback object authenticationType wauth WAuthCallback homeRealm whr HomeRealmCallback freshness wfresh FreshnessCallback issuer N.A. IDPCallback ● Customize Security Token Validation
Fediz Plugin Extensions (2/2) ● Callback Handler implementation for Home Realm Discovery public class MyCallbackHandler implements CallbackHandler { public void handle(Callback[] callbacks) throws … { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof HomeRealmCallback) { HomeRealmCallback callback = (HomeRealmCallback) callbacks[i]; HttpServletRequest request = callback.getRequest(); String homeRealm = ... callback.setHomeRealm(homeRealm); } else { throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); } } } } ● Wiki http://cxf.apache.org/fediz-extensions.html
Fediz Interoperability Fediz IDP Adnovum IDP Microsoft ADFS Fediz Plugin ASP.NET ● Fediz STS based on Apache CXF STS ● Apache CXF STS integrated into Adnovum IDP
Fediz and STS Use cases
STS: Use case Web SSO Fediz example “simpleWebapp” https://localhost:8443/fedizhelloworld/secure/fedservlet
Standards ● WS-Federation 1.2 ● WS-Trust 1.3 ● SAML 2.0 ● OASIS Identity Metasystem CXF STS capabilities ● RST UsernameKerberos ● SAML 2.0 Bearer ● Claims from LDAP ● Claim data in AttributeStatement Federation plugin ● SAML token validation (WSS4J, OpenSAML) ● Creates security context
STS: Use case intermediary Fediz example “wsclientWebapp” https://localhost:8443/fedizhelloworld/secure/service.jsp
Standards ● WS-Trust 1.3 ● SAML 2.0 ● WS-SecurityPolicy CXF STS capabilities CXF capabilities ● RST SAML token [4,6] ● Issued token assertion(WS-SecurityPolicy) ● SAML 2.0 Bearer [6] ● SecondaryParameters ● Custom Token [4] ● OnBehalfOf (BinarySecurityToken) ● Token caching ● Token transformation [4,6] ● Identity Mapping[4] ● OnBehalfOf [4,6]
Relying Party IDP
More than one Requestor IDP ● WS-Federation defines Requestor and Relying Party IDP ● RP IDP issues SAML token for application in a requestor independent format ● Integrate Requestor IDPs without affecting application ● HomeRealm Discovery ● RP IDP federates Identities or Claims
Internal ID management Federate identites R e q u e s to r Id P ● CXF IdentityMapper R e q u e s to r Id P m y c o m p a n y .c o m ● Relationship: FederateIdentity APAC m y c o m p a n y .c o m EM EA R P - Id P H o m e r e a lm d is c o v e r y 3 Id P m y c o m p a n y .c o m 2 B ro w s e r In tr a n e t 1 R e ly in g P a r ty A p p lic a tio n C o n ta in e r Ex. Tom cat
Hyprid ID management R e q u e s to r Id P F a b r ik a m .c o m In te r n a l R e q u e s to r Id P m y c o m p a n y .c o m R e q u e s to r Id P APAC B ro w s e r m y c o m p a n y .c o m 3 f a b r ik a m .c o m EM EA R P -Id P 2 H o m e r e a lm d is c o v e r y 3 Id P m y c o m p a n y .c o m 2 B ro w s e r In tr a n e t 1 1 R e ly in g P a r ty A p p lic a tio n C o n ta in e r Ex. Tom cat Federate identities ● CXF IdentityMapper ● Relationship: FederateIdentity
External requestor IDPs (SaaS) R e q u e s to r Id P F a b r ik a m .c o m In te r n a l R e q u e s to r Id P m y c o m p a n y .c o m R e q u e s to r Id P APAC B ro w s e r m y c o m p a n y .c o m 3 f a b r ik a m .c o m EM EA R P -Id P 2 H o m e r e a lm d is c o v e r y 3 Id P m y c o m p a n y .c o m 2 B ro w s e r In tr a n e t 1 2 B ro w s e r a d a ta m .c o m 1 R e ly in g P a r ty 1 A p p lic a tio n 3 C o n ta in e r Ex. Tom cat R e q u e s to r Id P Federate claims/attributes a d a ta m .c o m ● CXF ClaimsMapper E x te rn a l ● Relationship: FederateClaims
Fediz Roadmap ● WS-Federation support for RP-IDP (1.1) ● HomeRealm Discovery (1.1) ● SAML Profile (1.1+) ● Support encrypted SAML tokens (1.1) ● SAML Holder-Of-Key (1.1) ● Fediz Plugin support – Karaf (1.1) – Jetty (1.1) – Spring Security (1.1)
More information ● Fediz website http://cxf.apache.org/fediz.html ● Blogs http://coheigea.blogspot.com http://www.dankulp.com/blog/ http://sberyozkin.blogspot.com http://owulff.blogspot.com
Content Slides ● Level 1 – Level 2 ● Level 3 – Level 4 ● Level 5
Standards ● WS-Trust 1.3 ● SAML 2.0 Id e n tity P r o v id e r ● WS-SecurityPolicy < < S o la r is > > Id e n tit y S to r e Id e n tity S to r e < < W in d o w s > > < < M a in f r a m e > > ID P < < N e v is > > CXF STS capabilities 2 .1 LDAP RACF STS 2 .2 RST SAML token [4,6] <<CXF>> ● ● SAML 2.0 Bearer [6] 4 .1 ● Custom Token [4] (BinarySecurityToken) B u s in e s s S e r v ic e 2 < < T o m c a t> > ● Token transformation [4,6] 4 / 6 Identity Mapping[4] A p p lic a t io n ● J A X -R P C ● OnBehalfOf [4,6] Not CXF W e b A p p lic a tio n < < T o m c a t> > T ) ( BS CXF capabilities B ro w s e r 5 3 A p p lic a tio n ● Issued token assertion(WS- 1 J A X -W S B u s in e s s S e r v ic e SecurityPolicy) F e d e r a t io n _ _ CXF < < O S G i K a ra f> > ● SecondaryParameters 7 (S T ) A p p lic a t io n ● OnBehalfOf J A X -W S ● Token caching CXF

More Related Content

PPT
Presentation sso design_security
byMarco Morana
 
PDF
Ricardo Klatlovsky - Plugging In The Consumer: Results and Conclusions of the...
byShane Mitchell
 
PDF
New eraformulablueprint
byRudy Rich
 
PDF
XS Oracle 2009 Networking 10gig
byThe Linux Foundation
 
PDF
Katakana 1
byjfordha6
 
ODP
Apache CXF - New Features
byDaniel Kulp
 
PDF
Borderless Federated-Identity
byWSO2
 
PDF
CIS14: Building Blocks for Mobile Authentication and Security
byCloudIDSummit
 
Presentation sso design_security
byMarco Morana
 
Ricardo Klatlovsky - Plugging In The Consumer: Results and Conclusions of the...
byShane Mitchell
 
New eraformulablueprint
byRudy Rich
 
XS Oracle 2009 Networking 10gig
byThe Linux Foundation
 
Katakana 1
byjfordha6
 
Apache CXF - New Features
byDaniel Kulp
 
Borderless Federated-Identity
byWSO2
 
CIS14: Building Blocks for Mobile Authentication and Security
byCloudIDSummit
 

Similar to ApacheCon 2013 SSO and Fine Grained Authorization in the Cloud

PDF
SharePoint Saturday Houston: SharePoint 2010 Extranets & Claims Authentication
byBrian Culver
 
PDF
Cloud Foundry - A Lightning Introduction
byAndy Piper
 
PPT
learning interoperability from web2.0
byShoaib Burq
 
PDF
Migrating to Cloud Foundry
byPeter Ledbrook
 
PPTX
Thomas vochten claims-spsbe26
byBIWUG
 
PPT
Network security
byGichelle Amon
 
PDF
Cloud Foundry bootcamp at ContributingCode
byChris Richardson
 
PPT
IPC NRF Presentation
byTyler Hannan
 
PPT
Android Cloud to Device Messaging Framework
byPrajyot Mainkar
 
PDF
MongoSF 2012
byMonica Wilkinson
 
PDF
2010 Q1 WSO2 Technical Update
byWSO2
 
PDF
Cloud Foundry for Java devs
byPeter Ledbrook
 
KEY
Hands On CloudFoundry
byEric Bottard
 
PDF
Incorporating Microsoft Sharepoint into your Web 2.0 Initiatives: Greg Klebus
byDay Software
 
PDF
Soa Security Testing
byJaipal Naidu
 
PDF
Webinar - Q2 2010 - Leveraging MS SharePoint for Your Online Marketing Initia...
bydaysoftware
 
PDF
Migrating to CloudFoundry
byGR8Conf
 
PPT
HP - 2martie2011
byAgora Group
 
PPT
Alison Fleming Michael Upton Collaborating for Success
byFuture Perfect 2012
 
PDF
Spring Data and MongoDB
byOliver Gierke
 
SharePoint Saturday Houston: SharePoint 2010 Extranets & Claims Authentication
byBrian Culver
 
Cloud Foundry - A Lightning Introduction
byAndy Piper
 
learning interoperability from web2.0
byShoaib Burq
 
Migrating to Cloud Foundry
byPeter Ledbrook
 
Thomas vochten claims-spsbe26
byBIWUG
 
Network security
byGichelle Amon
 
Cloud Foundry bootcamp at ContributingCode
byChris Richardson
 
IPC NRF Presentation
byTyler Hannan
 
Android Cloud to Device Messaging Framework
byPrajyot Mainkar
 
MongoSF 2012
byMonica Wilkinson
 
2010 Q1 WSO2 Technical Update
byWSO2
 
Cloud Foundry for Java devs
byPeter Ledbrook
 
Hands On CloudFoundry
byEric Bottard
 
Incorporating Microsoft Sharepoint into your Web 2.0 Initiatives: Greg Klebus
byDay Software
 
Soa Security Testing
byJaipal Naidu
 
Webinar - Q2 2010 - Leveraging MS SharePoint for Your Online Marketing Initia...
bydaysoftware
 
Migrating to CloudFoundry
byGR8Conf
 
HP - 2martie2011
byAgora Group
 
Alison Fleming Michael Upton Collaborating for Success
byFuture Perfect 2012
 
Spring Data and MongoDB
byOliver Gierke
 

ApacheCon 2013 SSO and Fine Grained Authorization in the Cloud

  • 1.
    SSO and finegrained authorization in the cloud Oliver Wulff
  • 2.
    Brief introduction ● Solution Architect ● Web Services (Axis, CXF, …) ● Security (WS-*, Kerberos, Web SSO, …) ● Corba ● Java / C# / C++ ● Apache CXF PMC member ● Talend Community Coder (coders.talend.com) ● http://owulff.blogspot.com ● owulff@apache.org
  • 3.
    Agenda ● Authentication & Authorization in Web Applications ● Apache CXF Fediz ● Fediz and STS Use cases ● Relying Party IDP ● Fediz Roadmap
  • 4.
  • 5.
    Application Security 10years ago ● SSO solution using Reverse Proxy ● Proprietary SSO token / protocol ● Same product at Reverse Proxy, Application Server andcentral Security Service ● Security tokens validated by remote Security Server ● Role Based Access Control (Java, .NET API) ● User/ID management internal
  • 6.
    Security Challenges ● Non IT company – Buy vs build (non IT company) – Applications hosted in the cloud ● SaaS for IT companies ● Integrate several IDM systems (B2B customers) ● Access to user information – Network connectivity – Replicating user information ● Reduce Security Code in the Application
  • 7.
    Gaps ● Fine grained authorization (beyond RBAC) in application logic ● Tight coupling to custom security components and protocols (central server, reverse proxy, proxy agent) ● Tight coupling to single user domain ● Lack of agility and risk due to managing B2B users internally ● Different authentication mechanism in the application (container) ● Integration with Web Services Stack ● Mock testing
  • 8.
    How to addressthat? ● Indirect Trust Relationship to Security Server ● Push user data to the application instead of pulling it ● Externalize Authentication to a Central server ● Lightweight Open Source component ● Industry standard based solution
  • 9.
    WS-Federation ● OASIS Standard 2009 ● Security Token agnostic (SAML 1.1/2.0, …) ● Extends WS-Trust ● Browser and Web Services SSO ● PRP adapts Browser to WS-Trust ● No connectivity between Application and IDP required (Cloud) ● Claims/Attribute Based Access Control ● Supports several Authentication domains
  • 10.
    WS-Trust Security TokenService 1. Consumer requests token from STS, presenting credentials (RST = Request Security Token) 2. STS verifies credentials and issues signed token 3. STS sends token back to consumer (RSTR = Request Security Token Response) 4. Consumer encloses token in message to service provider (optionally signing message) 5. Service provider validates token (and signature) 6. Service provider sends response to consumer WS-SecurityPolicy brings flexibility and transparency to service consumer
  • 11.
  • 12.
    Apache CXF Fediz ● Sub-project of Apache CXF project ● Work started mid of 2011 ● Community growing ● First release in June 2012 ● Current release 1.0.2 ● Finishing work for 1.1
  • 13.
    Apache CXF Fediz Id e n tity P r o v id e r (ID P ) S e c u r ity T o k e n S e r v ic e (S T S ) W S - F e d e r a tio n F e d iz ID P n tio S e c u r ity T o k e n s t ic a e n W S -T ru s t is s u e d b y S T S en Tok F e d iz S T S u th A  U s e r M a c h in e B ro w s e r R e ly in g P a r ty (R P ) A cc es s  W W e b A p p lic a tio n R eb ec ed A to ir p p ID t lic P at io n F e d iz P lu g in H TTP S S e r v le t C o n ta in e r
  • 14.
    Apache CXF Fediz 2 ) S ig n In R e q u e s t 3 ) L o g in Id e n tity P r o v id e r W eb U ser ID P / S T S 4 ) P o s t C r e d e n tia ls 5 ) S ig n In R e s p o n s e S A M L to k e n B ro w s e r T r u s t r e la t io n s h ip S ig n e d T o k e n N o C a ll to S T S 7 ) R e s o u r c e , S e t C o o k ie R e ly in g P a r ty 6 ) P o s t S ig n In R e s p o n s e E x . T o m c a t, W e b s p h e re , A S P .N E T , e tc . 1 ) H T T P G E T re s o u rc e R e d ir e c t to I D P
  • 15.
    Apache CXF STS ● WS-Trust 1.3/1.4 ● SAML token creation ● WS-SecurityPolicy 1.3 customizable ● RST Subject, Audience, authenticationUsername/Kerb AttributeStatements,… eros/SAML token ● Claims support ● Security Bindings: ● Support for realms/security Symmetric, Asymmetric, domains Transport ● Identity Mapping ● Supported bindings ● Claims transformation Issue, validate, cancel, renew ● Advanced RST ● Token provider elementsKeyType, Entropy, SAML 1.1/2.0 (HOK, Bearer), AppliesTo, Custom, SecondaryParameters, … Secure Conversation ● Intermediary ● Token encryption supportOnBehalfOf, ActAs ● Issue/validate supports ● Custom Claims dialects token transformation ● Batch processing (RSTC)
  • 16.
    Fediz IDP /STS ● Username / password authentication ● User store (File, LDAP, JAAS) – File store – LDAPLoginModule – Other JAAS Login Module ● Claims/Role store (File, LDAP) – LdapClaimsHandler – FileClaimsHandler – custom ● SAML Token creation customizable ● Small footprint (Mock testing) ● Wiki http://cxf.apache.org/fediz-idp.html
  • 17.
    Fediz Plugin ● WS-Federation 1.0/1.1/1.2 ● SAML 1.1 / 2.0 Tokens ● IDP trust types Chain Trust, Direct Trust ● Core Logic Container independent ● Supports Tomcat 7 ● WS-Federation Metadata publish ● Claims provided in FederationPrincipal ● Wiki http://cxf.apache.org/fediz-idp.html
  • 18.
    Fediz Plugin Configuration Config element Description Metadata issuer Issuer URL PassiveRequestorEndpoint realm Realm TargetScope authenticationType Authentication Type NA roleURI Claim URI for roles NA roleDelimiter Role Value Delimiter NA claimTypesRequested Requested claims ClaimTypesRequested homeRealm Home Realm NA tokenValidators Security Token Validator NA signingKey Key for Metadata Metadata signature signature
  • 19.
    Fediz Plugin Extensions(1/2) ● Customize Sign-In Request Configuration SignIn Request Callback object authenticationType wauth WAuthCallback homeRealm whr HomeRealmCallback freshness wfresh FreshnessCallback issuer N.A. IDPCallback ● Customize Security Token Validation
  • 20.
    Fediz Plugin Extensions(2/2) ● Callback Handler implementation for Home Realm Discovery public class MyCallbackHandler implements CallbackHandler { public void handle(Callback[] callbacks) throws … { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof HomeRealmCallback) { HomeRealmCallback callback = (HomeRealmCallback) callbacks[i]; HttpServletRequest request = callback.getRequest(); String homeRealm = ... callback.setHomeRealm(homeRealm); } else { throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); } } } } ● Wiki http://cxf.apache.org/fediz-extensions.html
  • 21.
    Fediz Interoperability Fediz IDP Adnovum IDP Microsoft ADFS Fediz Plugin ASP.NET ● Fediz STS based on Apache CXF STS ● Apache CXF STS integrated into Adnovum IDP
  • 22.
    Fediz and STSUse cases
  • 23.
    STS: Use caseWeb SSO Fediz example “simpleWebapp” https://localhost:8443/fedizhelloworld/secure/fedservlet
  • 24.
    Standards ● WS-Federation1.2 ● WS-Trust 1.3 ● SAML 2.0 ● OASIS Identity Metasystem CXF STS capabilities ● RST UsernameKerberos ● SAML 2.0 Bearer ● Claims from LDAP ● Claim data in AttributeStatement Federation plugin ● SAML token validation (WSS4J, OpenSAML) ● Creates security context
  • 25.
    STS: Use caseintermediary Fediz example “wsclientWebapp” https://localhost:8443/fedizhelloworld/secure/service.jsp
  • 26.
    Standards ● WS-Trust 1.3 ● SAML 2.0 ● WS-SecurityPolicy CXF STS capabilities CXF capabilities ● RST SAML token [4,6] ● Issued token assertion(WS-SecurityPolicy) ● SAML 2.0 Bearer [6] ● SecondaryParameters ● Custom Token [4] ● OnBehalfOf (BinarySecurityToken) ● Token caching ● Token transformation [4,6] ● Identity Mapping[4] ● OnBehalfOf [4,6]
  • 27.
  • 28.
    More than oneRequestor IDP ● WS-Federation defines Requestor and Relying Party IDP ● RP IDP issues SAML token for application in a requestor independent format ● Integrate Requestor IDPs without affecting application ● HomeRealm Discovery ● RP IDP federates Identities or Claims
  • 29.
    Internal ID management Federate identites R e q u e s to r Id P ● CXF IdentityMapper R e q u e s to r Id P m y c o m p a n y .c o m ● Relationship: FederateIdentity APAC m y c o m p a n y .c o m EM EA R P - Id P H o m e r e a lm d is c o v e r y 3 Id P m y c o m p a n y .c o m 2 B ro w s e r In tr a n e t 1 R e ly in g P a r ty A p p lic a tio n C o n ta in e r Ex. Tom cat
  • 30.
    Hyprid ID management R e q u e s to r Id P F a b r ik a m .c o m In te r n a l R e q u e s to r Id P m y c o m p a n y .c o m R e q u e s to r Id P APAC B ro w s e r m y c o m p a n y .c o m 3 f a b r ik a m .c o m EM EA R P -Id P 2 H o m e r e a lm d is c o v e r y 3 Id P m y c o m p a n y .c o m 2 B ro w s e r In tr a n e t 1 1 R e ly in g P a r ty A p p lic a tio n C o n ta in e r Ex. Tom cat Federate identities ● CXF IdentityMapper ● Relationship: FederateIdentity
  • 31.
    External requestor IDPs(SaaS) R e q u e s to r Id P F a b r ik a m .c o m In te r n a l R e q u e s to r Id P m y c o m p a n y .c o m R e q u e s to r Id P APAC B ro w s e r m y c o m p a n y .c o m 3 f a b r ik a m .c o m EM EA R P -Id P 2 H o m e r e a lm d is c o v e r y 3 Id P m y c o m p a n y .c o m 2 B ro w s e r In tr a n e t 1 2 B ro w s e r a d a ta m .c o m 1 R e ly in g P a r ty 1 A p p lic a tio n 3 C o n ta in e r Ex. Tom cat R e q u e s to r Id P Federate claims/attributes a d a ta m .c o m ● CXF ClaimsMapper E x te rn a l ● Relationship: FederateClaims
  • 32.
    Fediz Roadmap ● WS-Federation support for RP-IDP (1.1) ● HomeRealm Discovery (1.1) ● SAML Profile (1.1+) ● Support encrypted SAML tokens (1.1) ● SAML Holder-Of-Key (1.1) ● Fediz Plugin support – Karaf (1.1) – Jetty (1.1) – Spring Security (1.1)
  • 33.
    More information ● Fediz website http://cxf.apache.org/fediz.html ● Blogs http://coheigea.blogspot.com http://www.dankulp.com/blog/ http://sberyozkin.blogspot.com http://owulff.blogspot.com
  • 34.
    Content Slides ● Level 1 – Level 2 ● Level 3 – Level 4 ● Level 5
  • 35.
    Standards ● WS-Trust 1.3 ● SAML 2.0 Id e n tity P r o v id e r ● WS-SecurityPolicy < < S o la r is > > Id e n tit y S to r e Id e n tity S to r e < < W in d o w s > > < < M a in f r a m e > > ID P < < N e v is > > CXF STS capabilities 2 .1 LDAP RACF STS 2 .2 RST SAML token [4,6] <<CXF>> ● ● SAML 2.0 Bearer [6] 4 .1 ● Custom Token [4] (BinarySecurityToken) B u s in e s s S e r v ic e 2 < < T o m c a t> > ● Token transformation [4,6] 4 / 6 Identity Mapping[4] A p p lic a t io n ● J A X -R P C ● OnBehalfOf [4,6] Not CXF W e b A p p lic a tio n < < T o m c a t> > T ) ( BS CXF capabilities B ro w s e r 5 3 A p p lic a tio n ● Issued token assertion(WS- 1 J A X -W S B u s in e s s S e r v ic e SecurityPolicy) F e d e r a t io n _ _ CXF < < O S G i K a ra f> > ● SecondaryParameters 7 (S T ) A p p lic a t io n ● OnBehalfOf J A X -W S ● Token caching CXF